Malicious PDF — malware analysis report

Static analysis result for SHA-256 c96bdc841b5c0eaa…

MALICIOUS

PDF

82.7 KB
MD5: 0ae37f29c104b9b6d61aafe936602cb9 SHA-1: 42adba0fadd336701d90c74f2dd37768c3de04f1 SHA-256: c96bdc841b5c0eaae4acb1d6a579f9e3d0bcde08a12bc61224f91dab3a233fc5
178 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1204.002 Malicious File: User Execution

The PDF file utilizes XFA forms, a known vector for exploitation. High-confidence heuristics and ClamAV detections confirm its malicious nature, specifically flagging it as an exploit agent. The embedded script payload, though not directly analyzed for its specific actions, is the likely mechanism for delivering the exploit. The embedded URLs are related to XFA specifications and do not appear to be directly malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • ClamAV: Pdf.Exploit.Agent-6136306-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-6136306-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00000246.bin
22e7d12ef56db7e6f55bc9247295936bb9935d2b52d75670d4eb4e61ee2e7584		 pdf-embedded-script PDF raw stream script payload at offset 0x246 83927 bytes
Detection
ClamAV: Pdf.Exploit.Agent-36769
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.